Having worked around financial crimes for a number of years, I noticed they seemed to be on the rise.
One reason for this is technology, which grows more rapidly than laws designed to protect us from it.
Although the blog is a resource to educate people on identity theft, it also strives to educate the common person on the rapidly growing problem of crimes enabled (made too easy) by technology and the Internet.

Wednesday, March 19, 2008

Security vendor removes Hannaford as a client on their site after data breach is revealed!

I ran into an interesting development in the Hannaford data breach on geeksaresexy.net. Allegedly, their IT security vendor of choice (Rapid7) decided to disavow all knowledge of their relationship with Hannaford right after the breach was made public.

Instead, Rapid7 scrubbed all mentions of Hannaford from their client list. Rapid7 obviously didn’t want to be associated with one of the largest data loss incidents in history, and they certainly didn’t want to sully the name of their flagship appliance, the “neXpose” which is a vulnerability scanning device.

This information is from Attrition.Org, an online security community that has been around since the predawn of the dot-com boom. They have an outstanding article, with screenshots here, where they are much less kind to Rapid7 in light of their cowardly actions.

Atttition.org is one of the trusted sources on data breaches, so I decided to see what they had found:

As of this writing, Rapid7 has replaced the information on their site showing Hannaford as a client.

I decided to run a query on Google News and discovered that so far the Boston Globe is one of the few mainstream e-rags reporting this so far.

The Boston Globe was able to get a comment from the marketing VP at Rapid7. Here is the "official explanation" from the article:

Was it damage control? Embarrassment about being linked to the breach? An admission that its software failed?

A Rapid7 executive says none of the above.

David Precopio, the company's vice president of marketing, said Hannaford asked Rapid7 to remove its name from the site once the data breach was made public. But after some sharp-eyed observers spotted the deletion (including the security website attrition.org) Precopio said Rapid7 asked Hannaford to let it repost the company’s name.

The Boston Globe was unable to get a comment from Hannaford about this matter.

I guess I'll have to leave it to the reader's imagination what the true intention in all of this was?